How to define the VLANs allowed on a trunk link

Document

Introduction

How to define the VLANs allowed on a trunk link.

Resolution

When a trunk link is established, all of the configured VLANs are allowed to send and receive traffic across the link. VLANs 1 through 1005 are allowed on each trunk by default. However, VLAN traffic can be removed from the allowed list. This keeps traffic from the VLANs from passing over the trunk link.

Note: The allowed VLAN list on both the ends of the trunk link should be the same.

For Integrated Cisco IOS Software based switches

Note: VLANs 1 and 1002 through 1005 are reserved VLANs and cannot be removed from any trunk link.

The vlan-list parameter is either a single VLAN ID or a range of VLAN IDs. This parameter is described by two VLAN numbers separated by a hyphen. Do not enter any spaces between comma-separated VLAN IDs or in hyphen-specified ranges.

For example, to remove VLANs 5 through 10 and 12 from the trunk, issue the switchport trunk allowed vlan remove 5-10, 12 command.

To add a VLAN to the trunk, issue the switchport trunk allowed vlan addvlan-list command.

Share:

Comments

What is the advantage of allowing certain vlans vs allowing all? Currently we have all vlans allowed in the network and want to allow only certain vlans instead; how can we determine which vlans to be allowed?

If the network administrator can't tell the purpose of the various VLANs you have a secious problem! VLANs are used to have just one backbone but providing "shielded" separate networks within that infrastructure. Like having Internet in one VLAN and the internal stuff in another.

As an example for allowing only specific VLANs imagine a company that has an ICT department that provides the network backbone and the programmer department is having some ESX servers running. The network card going to the ESX server should only allow the VLANs used by the programmers to inhibit them creating a VM that has a NIC in the wrong VLAN. Like they think they know what they do but (unintentionally) enter the wrong VLAN ID and putting a VM in your production server VLAN disrupting your whole server park.

If you want to see the VLANs on a switch and which access port is member of which VLAN issue the command "show vlans" to get a nice list. For the ports in trunk mode this will not help thus you have to check the device attached to the port for its configuration. All in all coming back to the question: why did you allow all VLANs on all trunk ports ultimately resulting in not beeing able to answer the question which device is member of which VLAN. Thus always have a perfect documentation and/or use the "switchport trunk allowed vlan" command to limit to the necessary.